Carriers Selling Your Data: a $24 Billion Business

An anonymous reader writes: It goes without saying that cellphone carriers have access to tons of data about their subscribers. They have data about who you call, what sites you visit, and even where you're located. Now: "Under the radar, Verizon, Sprint, and other carriers have partnered with firms including SAP to manage and sell data." The article describes some of the ways this data is used by marketers: "The service also combines data from telcos with other information, telling businesses whether shoppers are checking out competitor prices on their phones or just emailing friends. It can tell them the age ranges and genders of people who visited a store location between 10 a.m. and noon, and link location and demographic data with shoppers' web browsing history. Retailers might use the information to arrange store displays to appeal to certain customer segments at different times of the day, or to help determine where to open new locations." Analysts estimate this fledgling industry to be worth about $24 billion to the carriers, and they project huge growth over the next several years. The carriers are trying to keep it a tightly held secret after seeing the backlash from the public in response to government snooping, which involves much less private data.

Profit from you

Of course all this private data lets the marketers profit from you. It's you that ultimately pay for this. If they couldn't milk more profit by buying this data, then it wouldn't be worth buying!

$2 billion will be spent on elections this cycle, and a lot of that will be buying up the private data of candidates, their campaigners, their families to look for what papers they've read, what facts they're reviewed, and so on. Choicepoint is still there under a different name, still analyzing your vote, and demographic and looking for ways to skew the vote. Now it has access to everything from your purchases to your movements, who you are with, etc.:

https://en.wikipedia.org/wiki/ChoicePoint

And the $10 billion dollar gorilla in the room.... the NSA. If you *consent* to the sale by clicking an EULA you never read, then who needs to redefine laws? They are simply buying the data just like Bob the sleezy marketer.

And if Congress wants to pass privacy laws.... all those actors will oppose it behind the scenes.

Re:Profit from you

[AHuxley]

Re "And if Congress wants to pass privacy laws.... all those actors will oppose it behind the scenes."
Yes the idea to remove "personally identifiable information" by “the extent feasible” was an amendment that failed.
The US brands can collect all they want and sell in any form they want.. as collected.
The other option was to try and secure personally identifiable information when it was collected/found/given to the US gov.
That failed. The US gov can get and keep the personally identifiable information.
The powerful Freedom of Information Act (FOIA) exemptions in place to track who was offering what data to the US and what the US gov was planning to do with data could have been extended to help the wider public track such private data use.
As the "proprietary information" moved from the private sector to the US gov its still 'proprietary information". No FOIA for the media, press to even start to understand what been done by what agency or the mil.
One of the ideas was to really set limits on what data could be even considered for gov buy in use or demands. The US gov only gets data when it really needs it rather than just a collect it all private sector bulk deal.
Some good attempts got presented to keep data private or understand its use or restrict collection.
Private sector data is up for sale to any entity for the right price and most weak gov protections have been removed, further weakened or totally blocked.

You Are Always the Product

[ohnocitizen]

When we hear about free services snooping on you, people are quick to say "Free service? You are the product" and "not surprised". Yet we pay our telcos (sometimes ridiculous sums of money), and we are STILL the product. And guess what? The degree to which we allow ANY company or government agency to snoop on us allows the rest to get away with more too. So if we want to take a stand to keep some shreds of privacy intact, we need to take a powerful pro-privacy stance. We need to punish ANY organization that goes too far invading privacy, and establish laws and regulations to give us teeth for when they violate that privacy. And we need to stop reacting to news of privacy violations with dull acceptance. We need to fight back and one of our best tools available is to campaign hard to regulate the industry.

latest update was loaded

[dltaylor]

The latest software update for my phone was loaded with this kind of carrier (Virgin Mobile on Sprint) crap (yes, I have complained to VM, but no, they're not going to take it back). Fortunately, HTC has tools to delete things from the "ROM", so it isn't permanent on the phone I have.

Anonymous data? Remember AOL Search?

Even aggregate data has its malicious uses, but such data is rarely anonymous. Remember the AOL search history release?

https://en.wikipedia.org/wiki/AOL_search_data_leak

AOL released the "ANONYMIZED" search history of its users, only to find it was quite easy to datamine their identity... just from this one set of data. If you have multiple sets, it becomes trivial to do so. e.g. they visit the pizza ordering page, you have the customer list for the pizza place, so you know that that user's details, and by extension all of the other stuff, and if their searches contain "Herpes cures" and "Herpes Clinic", then I wouldn't share a pizza with them.

Even as aggregate data it can be misused. Recall Choicepoint?

http://www.theguardian.com/commentisfree/2006/jul/08/comment.mainsection4

They were the company that analyzed the voting roll in swing states for likely Democrat voters, then analyzed for matching names in other states to create "scrub lists", lists of people to be scrubbed from the electoral role on false claim of fraud. So if Bob Jones in Florida was likely to vote Democrat, they'd find another Bob Jones in another state, and add him to the scrub list to block his vote.

By analyzing the individual wards for bias, they could determine which wards should receive defective voting machines to swing the vote. Hanging chads were not randomly distributed. Those faulty machines were sent largely to black districts.

That was AGGREGATE data, they didn't know how an individual "Bob Jones" would vote, they knew the voting likelihood of his demographic.

One of the tricks used was to send "confirm your residency to be allowed to vote" letters out.... to students (students on *aggregate* vote Democrat) during the summer break requiring a signature from them on receipt. So the student was away on holiday, couldn't get the letter and wouldn't be allowed to vote. The vote was during term time, so they knew the student would be there for the vote, but not for the letter.

This data would let them fine tune such strategies, and often (see AOL) down to individuals.

Re:Anonymous data? Remember AOL Search?

[TheRaven64]

ChoicePoint is obviously evil. The more subtle one is one of the services that Facebook offers. In most elections, a large percentage of voters either won't vote, or will vote for a particular party and won't have their minds changed by anything. This means that the election is usually decided by the swing voters - the 5-10% who are undecided. Facebook can, fairly accurately, identify who the swing voters are and, for each one what issues they find most important. More than that, it is willing to sell this information and to sell targeted advertising space. You can buy ads to target swing voters in constituency X, who think that issue Y is important. They'll only see the ad showing that your candidate has strong views that align with theirs on that issue. Someone else will see ads showing that the most important issue for your candidate is the thing that they care about. This is far harder to detect than something as blunt as ChoicePoint. The people seeing the ads have no idea that they're targeted, they only know that a particular candidate looks as if he or she really understands the issue of importance to them.

Token Anonymization

From the article:

It "tells you where your consumers are coming from, because obviously the mobile operator knows their home location,"

SAP receives non-personally-identifiable, anonymized information from telcos,

If they know where you live, you aren't anonymous. This is yet another example of ineffective "token anonymization" so they can say its anonymized while laughing as they automatically de-anonymize it.

Re:How is this under the radar?

[AHuxley]

"Senate Rejects All CISA Amendments Designed To Protect Privacy, Reiterating That It's A Surveillance Bill" (Oct 27th 2015 )
https://www.techdirt.com/artic...
All your data is for sale and no looking or asking about what the US is buy or using it for :)

Again the question for presidential candidates:

"What is your hypothetical administration going to do to end this nonsense of the federal government spying on it's citizens without a warrant when:
      1- Historical information shows clearly that incidents of crime and terrorism have not been reduced in a credible way by warrantless wiretapping of citizens.
      2- Warrantless wiretapping has lead to trials where the first and fourth amendment rights of the defendants has been largely ignored
      3- Evidence collected by warrantless wiretapping of citizens has been used to support charges against said defendants despite their rights being violated.
      4- Spying on citizens CLEARLY represents a waste of taxpayer dollars that could be spent on using said resources to fight terrorism.
      5- Repeated spying on defendants such as Aaron Schwartz, has lead to situations where the very people who are experts that could contribute to the improvement of the use of surveillance where it is warranted in a fair and lawful way are victimized ,turning the US into a "Surveillance State" where anyone with any level of technical sophistication wants nothing to do with contributing their expertise to the betterment of said society.
      And finally:
      6- Any credible polling of the American public indicates that constituents of both major political parties clearly DO NOT WANT to live in a surveillance state?"
Ask Donald Trump, Ask Hillary Clinton, ask Bernie Sanders etc.. and watch them stumble and hone and haw or watch them go into some circular non-sequitur argument about "Well I love America and those people who have nothing to hide have nothing to fear and we are trying to prevent 9-11, thats right Nine Eleven! Nine Eleven was bad!" and other tired old clap trap.

This situation is unacceptable, and you don't stay in business by screwing over your customers.

Example employer buys tracks

Imagine I'm an employer and I buy the local set of phone location tracks, that are 'anonymous'.

I have my employees home addresses, a GIS database gives me the corresponding GPS coordinates, (data point1), I know the factory GPS coordinates (data point 2), so I can then filter that data using those two points to determine what 'anonymous' data corresponds to each of my employees.

Now I have effective tracking of my employees, and I can link in their search history, their friends, any hospitals, any bad habits... all can be de-anonymized easily.

Even if I didn't have their home address, they check in each data at the factory, so I have a time and location for many number of days, so I have many data points, to de-anonymize any data you give me.

There simply is no such thing as anonymous data. It's not meta data, its data.

Re:$24 billion dollars

You appear to be confused. This is capitalism. The aim of capitalism is to maximize profits, not to minimize consumer cost.

This is equivalent to

[presidenteloco]

If the old-school telephone companies hired people to listen in to your phone calls then sold the info to the highest bidder.
Or the post office routinely steaming open the envelopes of your letters and selling the info, or using it to extort you.

If this sh*t ain't against the law it should be.

They're a common carrier and nothing more. Get off my lawn.

I WOULD use a vpn ...

[TheGratefulNet]

but I'm on android 4.x and 4.x is marked 'wont fix' by google and their vpn (ipsec, I think; not sure which component is broken) just will not work.

https://code.google.com/p/andr...

hey google fans, care to try to defend google, here?

I'm not able to (easily) upgrade beyond 4.x on my phone and vpn is still broken. do you guys find this behavior (wontfix) acceptable?

I sure wish I could run my vpn again. funny that on my ancient nexus one (which is stuck on 2.2) runs the vpn software just fine. and I know that on a 5.x phone it also runs fine. why google ignores this show-stopper bug, I have no idea; but 'upgrade to a new phone' is never a good answer when its JUST a software fix that lazy-assed google refused to backport.